apiVersion: batch/v1
kind: Job
metadata:
  name: kaniko
  annotations:
    # Setting spec.force to true will make Flux recreate the Job when any
    # immutable field is changed, forcing the Job to run.
    kustomize.toolkit.fluxcd.io/force: enabled
spec:
  template:
    spec:
      initContainers:
      - name: copy-workspace
        image: busybox
        command: ["/bin/cp"]
        args:
        - "-r" # Recurse
        - "-L" # Follow all symlinks
        - "/mnt/workspace"
        - "/"
        volumeMounts:
        - name: dockerfile-storage
          mountPath: /mnt/workspace/build.sh
          subPath: build.sh
        - name: dockerfile-storage
          mountPath: /mnt/workspace/Dockerfile
          subPath: Dockerfile
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/bin/entrypoint
          subPath: entrypoint
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/systemd/user/foot.service
          subPath: foot.service
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/systemd/user/idea.service
          subPath: idea.service
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/systemd/user/pycharm.service
          subPath: pycharm.service
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/systemd/user/vscode.service
          subPath: vscode.service
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/systemd/user/firefox.service
          subPath: firefox.service
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/home/oleg/.config/aichat/config.yaml
          subPath: aichat.yaml
        - name: dockerfile-storage
          mountPath: /mnt/workspace/rootfs/etc/systemd/system/getty@tty10.service.d/autologin.conf
          subPath: autologin.conf
        - name: workspace
          mountPath: /workspace
        resources:
          limits:
            cpu: 10m
            memory: 10Mi
          requests:
            cpu: 10m
            memory: 10Mi
        securityContext:
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          runAsGroup: 998
      - name: chmod-hooks
        image: busybox
        command: ["/bin/sh"]
        args:
        - "-xc"
        - |
          chmod +x /workspace/build.sh /workspace/rootfs/bin/entrypoint
        volumeMounts:
        - name: workspace
          mountPath: /workspace
        resources:
          limits:
            cpu: 10m
            memory: 10Mi
          requests:
            cpu: 10m
            memory: 10Mi
        securityContext:
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          runAsGroup: 998
      containers:
      - name: kaniko
        image: gcr.io/kaniko-project/executor:v1.23.2
        args:
        - "--push-retry=10"
        - "--destination=harbor.home.wugi.info/library/archlinux-systemd:316b4536" # git rev-parse HEAD | cut -c -8
        volumeMounts:
        - name: kaniko-secret
          mountPath: /kaniko/.docker
        - name: workspace
          mountPath: /workspace
      restartPolicy: Never
      volumes:
      - name: kaniko-secret
        secret:
          secretName: regcred
          items:
          - key: .dockerconfigjson
            path: config.json
      - name: dockerfile-storage
        configMap:
          name: data
      - name: workspace
        emptyDir:
          sizeLimit: 300M
  backoffLimit: 0
